Overview of Administrator Audit Logging

Exchange 2010

Applies to: Exchange Server 2010 SP2, Exchange Server 2010 SP3

Topic Last Modified: 2015-03-09

You can use administrator audit logging in Microsoft Exchange Server 2010 to record actions taken by a user or administrator that make changes in your organization. By keeping a log of the changes, you can trace a change to the person who made it. You can also augment your change logs with detailed records of the change as it was implemented, use the records to comply with regulatory requirements and requests for discovery, and so on.

By default, audit logging is enabled in new installations of Microsoft Exchange Server 2010 Service Pack 1 (SP1).

Cmdlets that are run directly in the Exchange Management Shell are audited. In addition, operations that are performed by using the Exchange Management Console (EMC) and the Exchange Web management interface are also logged because those operations run cmdlets in the background.

Regardless of where it’s run, a cmdlet is audited if it’s on the cmdlet auditing list and if one or more parameters on that cmdlet are on the parameter auditing list. Get- and Search- cmdlets aren't logged. Audit logging is intended to show what actions have been taken to modify objects in an Exchange organization rather than what objects have been viewed.

Important:

A cmdlet might not be logged if an error occurs before the cmdlet calls the Admin Audit Log cmdlet extension agent. If an error occurs after the Admin Audit Log agent is called, the cmdlet is logged together with the associated error. For more information, see the Admin Audit Log Agent section later in this topic.
Changes that are made by using Microsoft Exchange Server 2007 management tools aren't logged.
Changes to the audit log configuration are refreshed every 60 minutes on computers that have the Shell open at the time a configuration change is made. If you want to apply the changes immediately, close and then open the Shell again on each computer.

By default, if audit logging is enabled, a log entry is created every time any cmdlet, other than a Get- or Search- cmdlet, is run. If you don't want to audit every cmdlet that's run, you can configure audit logging to audit only the cmdlets and parameters you're interested in. You configure audit logging with the Set-AdminAuditLogConfig cmdlet. The parameters referenced in the following sections are used with this cmdlet.

Important:

Changes to the administrator audit log configuration are always logged, regardless of whether the Set-AdministratorAuditLog cmdlet is included in the list of cmdlets being audited, or whether audit logging is enabled or disabled.

When a command is run, Exchange inspects the cmdlet that was used. If the cmdlet that was run matches any of the cmdlets provided with the AdminAuditLogConfigCmdlets parameter, Exchange then checks the parameters specified in the AdminAuditLogConfigParameters parameter. If at least one or more parameters from the parameters list are matched, Exchange logs the cmdlet that was run in the mailbox specified by using the AdminAuditLogMailbox parameter.

You can control which cmdlets are audited by providing a list of cmdlets, and their parameters, that you want to log. When you configure audit logging, you can specify to audit every cmdlet, or you can specify the cmdlets you want to audit using the AdminAuditLogConfigCmdlets parameter. You can specify full cmdlet names, such as New-Mailbox, or you can specify partial cmdlet names and enclose those names in wildcard characters, such as an asterisk (*). For example, if you want to log when any cmdlet that contains the string Transport runs, you can specify a value of *Transport*. You can use a mix of full cmdlet names and partial cmdlet names at the same time to tailor the audit logging configuration to your needs.

In addition to specifying which cmdlets you want to log, you can also indicate that cmdlets should only be logged if certain parameters on those cmdlets are used. Use the AdminAuditLogConfigParameters parameter to specify which parameters should be logged. As with cmdlets, you can specify full parameter names, such as Database, or partial parameter names enclosed in wildcard characters (*), such as *Address*, or a combination of both.

By default, audit logging is configured to store audit log entries for 90 days. After 90 days, the audit log entry is deleted. You can change the audit log age limit using the AdminAuditLogAgeLimit parameter. You can specify the number of days, hours, minutes, and seconds that audit log entries should be kept. To specify a value, use the format dd.hh:mm:ss where the following applies:

dd The number of days to keep the audit log entry.

hh The number of hours to keep the audit log entry.

mm The number of minutes to keep the audit log entry.

ss The number of seconds to keep the audit log entry.

You must specify multiple years using the dd field. For example, 365 days equals one year; 730 days equals two years; 913 days equals two years and six months. For example, to set the audit log age limit to two years and six months, use the syntax 913.00:00:00.

Caution:

You can set the audit log age limit to a value that's less than the current age limit. If you do this, any audit log entry whose age exceeds the new age limit is deleted.
If you set the age limit to 0, Exchange deletes all the entries in the audit log.
We recommend that you grant permissions to configure the audit log age limit only to highly trusted users.

Cmdlets that begin with the verb Test aren't logged by default. You can indicate that Test cmdlets should be logged by setting the TestCmdletLoggingEnabled parameter to $true. Although you can enable logging of test cmdlets, we recommend that you do this only for short periods of time. This is because test cmdlets can produce a large amount of information.

Each time that a cmdlet is logged, an audit log entry is created. Audit logs are stored in a hidden, dedicated arbitration mailbox that can be accessed only by using the Exchange Control Panel (ECP) Auditing Reports page or the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlet. Audit logs can't be opened by using Microsoft Office Outlook Web App or Microsoft Outlook. The following sections provide information about the following:

What's included in the logs

Reports available on the ECP Auditing Reports page

Audit log search cmdlets

Note:

With Exchange 2010 release to manufacturing (RTM), you specify an administrator audit log mailbox. Administrator audit logging in Exchange 2010 SP1 uses a dedicated mailbox. This dedicated mailbox can't be changed or configured.
The ECP Auditing Reports page, and the Search-AdminAuditLog and New-AdminAuditLogSearch cmdlets work only with Exchange 2010 SP1 administrator audit logs. To view the contents of an Exchange 2010 RTM audit log mailbox, you must open that mailbox using Outlook Web App or an e-mail client such as Outlook.

Each audit log entry contains the information described in the following table. The audit log contains one or more audit log entries. The number of audit log entries is controlled by the audit log age limit that’s specified by using the Set-AdminAuditLog cmdlet. Any audit log entry that exceeds the age limit is deleted.

Audit log entry fields

Field

Description

RunspaceId

This field is used internally by Exchange.

ObjectModified

This field contains the object that was modified by the cmdlet specified in the CmdletName field.

CmdletName

This field contains the name of the cmdlet that was run by the user in the Caller field.

CmdletParameters

This field contains the parameters that were specified when the cmdlet in the CmdletName field was run. Also stored in this field, but not visible in the default output, is the value specified with the parameter, if any. For more information about how to access the additional information in this field, see Search the Administrator Audit Log.

ModifiedProperties

This field contains the properties that were modified on the object in the ObjectModified field. Also stored in this field, but not visible in the default output, are the old value of the property and the new value that was stored. For more information about how to access the additional information in this field, see Search the Administrator Audit Log.

Caller

This field contains the user account of the user who ran the cmdlet in the CmdletName field.

Succeeded

This field specifies whether the cmdlet in the CmdletName field ran successfully. The value is either True or False.

Error

This field contains the error message generated if the cmdlet in the CmdletName field failed to complete successfully.

RunDate

This field contains the date and time when the cmdlet in the CmdletName field was run. The date and time are stored in Coordinated Universal Time (UTC) format.

The Auditing Reports page in the ECP has several reports that provide information on various types of compliance and administrative configuration changes. The following reports provide information on configuration changes in your organization:

Administrator Role Changes This report enables you to search for changes to management role groups that you specify within a specified timeframe. The results that are returned include the role groups that have been changed, who changed them and when, and what changes were made. A maximum of 3,000 entries can be returned. If your search might return more than 3,000 entries, use the Export Configuration Changes report or the Search-AdminAuditLog cmdlet.

Export Configuration Changes This report enables you to export the audit log entries recorded within a specified timeframe to a XML file and then email the file to a recipient you specify. For more information about the contents of the XML file, see Administrator Audit Log Structure.

When you run the Search-AdminAuditLog cmdlet, all the audit log entries that match the search criteria that you specify are returned. You can specify the following search criteria:

Cmdlets Specifies the cmdlets you want to search for in the administrator audit log.

Parameters Specifies the parameters you want to search for in the administrator audit log. You can only search for parameters if you specify a cmdlet to search for.

End date Scopes the administrator audit log results to log entries that occurred on or before the specified date.

Start date Scopes the administrator audit log results to log entries that occurred on or after the specified date.

Object IDs Specifies that only administrator audit log entries that contain the specified changed objects should be returned

User IDs Specifies that only the administrator audit log entries that contain the specified IDs of the user who ran the cmdlet should be returned.

Successful completion Specifies whether only administrator audit log entries that indicated a success or failure should be returned.

Each audit log entry returned contains the information described in the table in Audit Log Contents. By default, only the first 1,000 log entries that match the criteria you specify are returned. However, you can override this default and return more or fewer entries using the ResultSize parameter. You can specify a value of Unlimited with the ResultSize parameter to return all log entries that match the specified criteria.

The New-AdminAuditLogSearch cmdlet searches the audit log just like the Search-AdminAuditLog cmdlet. However, instead of displaying the results of the audit log search in the Shell, the New-AdminAuditLogSearch cmdlet performs the search and then sends the results of the search to a recipient you specify via e-mail. The results are included as an XML attachment to the e-mail message.

You can use the same search criteria with the New-AdminAuditLogSearch cmdlet that's used on the Search-AdminAuditLog cmdlet. For a list of the search criteria, see Search-AdminAuditLog Cmdlet.

After you run the New-AdminAuditLogSearch cmdlet, Exchange may take up to 15 minutes to deliver the report to the specified recipient. The XML file attached report can be a maximum of 10 megabytes (MB). The XML file contains the same information described in the table in Audit Log Contents. For more information about the structure of the XML file, see Administrator Audit Log Structure.

Note:

Outlook Web App doesn't allow you to open XML attachments by default. You can either configure Exchange to allow XML attachments to be viewed using Outlook Web App, or you can use another e-mail client, such as Microsoft OfficeOutlook, to view the attachment. For information about how to configure Outlook Web App to allow you to view an XML attachment, see View or Configure Outlook Web App Virtual Directories.

In addition to logging Exchange cmdlets when they're run, Exchange 2010 SP1 enables you to manually write log entries to the audit log. Exchange 2010 SP1 supports this using the Write-AdminAuditLog cmdlet. Situations where you might want to add a manual log entry include the following:

Custom script entry and exit

Change control information

Maintenance start and end times

With the Write-AdminAuditLog cmdlet, you specify a string of text to include in the audit log using the Comment parameter. The Comment parameter accepts an alphanumeric string up to 500 characters. Included in the manual audit log entry along with the comment string is all of the same information captured when an Exchange cmdlet is logged. For a description of each field included in the audit log, see the table in Audit Log Contents.

You can retrieve manual audit log entries the same way as any other log entry, using the ECP Auditing Reports page or using the Search-AdminAuditLog or New-AdminAuditLogSearch cmdlets.

Administrator audit logging relies on Active Directory replication to replicate the configuration settings you specify to the domain controllers in your organization. Depending on your replication settings, the changes you make may not be immediately applied to all servers running Exchange 2010 in your organization.

The Admin Audit Log built-in cmdlet extension agent performs administrator audit logging of cmdlet operations in Exchange 2010. This agent reads the audit log configuration, and then performs an evaluation of each cmdlet run in your organization. If the criteria you've specified in the audit log configuration matches the cmdlet that's being run, the agent generates an audit log.

The Admin Audit Log agent is enabled by default, which is required for audit logging to function. It can't be disabled, and its priority can't be changed. For more information about cmdlet extension agents, see Understanding Cmdlet Extension Agents.

By default, the admin audit log is enabled in Exchange Server 2010. The log results are stored in the arbitration mailbox in the AdminAuditLogs folder. If cmdlets are executed in the Exchange Management Shell frequently, multiple log entries are generated, and may cause the size of the database to grow quickly. This behavior may occur even if no user mailboxes exist.

To determine the size of the AdminAuditLogs folder, run the following cmdlet in the Exchange Management Shell: Get-MailboxFolderstatistics "Guid of arbitration mailbox" -FolderScope RecoverableItems –IncludeAnalysis. Next, view the item count and size of the AdminAuditLogs folder.

If the item count and the size of the AdminAuditLogs folder are high, run the following cmdlet to delete the items from the folder: Search-Mailbox Guid of arbitration mailbox -Dumpsteronly -deletecontent.

A cmdlet that is being executed frequently may be causing the database growth. Typically, the cmdlet is in a script that is scheduled to run periodically. Identify the cmdlet that is causing the admin audit log to grow. After you confirm that the cmdlet can be excluded from the admin audit log, run the following cmdlet in the Exchange Management Shell: Set-AdminAuditLogConfig AdminAuditLogExcludedCmdlets cmdlet name. For example, run the following cmdlet: Set-AdminAuditLogConfig AdminAuditLogExcludedCmdlets Add-DistributionGroupMember. After you run the cmdlet, you must wait for replication to be completed.